The National Association of State Chief Information Officers (NASCIO) released its 2020 Cybersecurity Study, “States at Risk: The Cybersecurity Imperative in Uncertain Times,” and reported a range of challenges facing state security officials during the coronavirus pandemic.
Among other findings, the study found that COVID-19 has “challenged continuity and amplified gaps in budget, talent, and threats, and the need for partnerships.” The study, released today, is the result of responses from 51 states and territory enterprise-level CISOs.
“The impacts that COVID-19 has had on our world cannot be overstated, and state governments have certainly felt its effects,” said Denis Goulet, NASCIO president and CIO of New Hampshire. “While state CIOs and CISOs have always made cybersecurity a high priority, this year they faced new challenges. CIOs and CISOs dealt with both internal and external issues as they worked to expand and secure employee remote work and citizen services.”
In terms of how COVID-19 is reshaping the cybersecurity landscape for state governments, NASCIO found that before the pandemic 52 percent of respondents had less than five percent of their staff working remotely. However, in a move to stem the spread of the virus, 35 states now have more than half of their employees working remotely, and nine states have more than 90 percent of their workforces operating remotely.
On top of the challenges from COVID-19, the study highlights additional struggles facing CISOs. Given the frequency of state and local government cyberattacks, surprisingly NASCIO found that fewer than 40 percent of states reported having a dedicated budget line item for cybersecurity. On top of that, half of states allocate less than three percent of their overall IT budgets for cybersecurity.
“The last six months have created new opportunities for cyber threats and amplified existing cybersecurity challenges for state governments,” said Meredith Ward, director of policy and research at NASCIO. “The budget and talent challenges experienced in recent years have only grown, and CISOs are now also faced with an acceleration of strategic initiatives to address threats associated with the pandemic.”
In terms of how state CISOs support local governments, the study found that only 27 percent of states provide cybersecurity training to local governments and public education entities. Collaboration between state and local governments is also lacking. Only 28 percent of states reported that they had “collaborated extensively” with local governments as part of their state’s security program during the past year, with 65 percent reporting “limited collaboration.”
The study also examines the relationship between state CISOs and public colleges and universities. Only 24 percent reported “extensive collaboration,” with 63 percent reporting “limited collaboration,” and 27 percent reporting “no collaboration.”
In terms of collaboration within the state, perhaps the most concerning finding is that the majority of state CISOs – 60 percent—said they do not know the cybersecurity capabilities and controls of local government and public higher education entities.
NASCIO offered up three takeaways that it called “critical” to further enhancing the CISO’s status:
- “Recognize that cyber is at the forefront of the post-pandemic workforce of the future, and CISOs will play a key role in states’ digital adoption and technology modernization initiatives.
- Extend the influence of the CISO through collaboration and partnerships with local governments and public higher education entities, providing both cybersecurity services as well as guidance to these often-overwhelmed partners.
- Transition to a centralized form of governance for the cybersecurity function across the state and agencies, while maintaining proximity to business initiatives at the agency/program level.”